WASHINGTON, D.C. — The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently released two reports to Congress detailing the state of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law designed to protect the privacy and security of patients’ health information. The reports, mandated annually by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, provide crucial insight into the healthcare sector’s ongoing struggle with data breaches and compliance.
HIPAA sets the minimum required privacy and security safeguards for protected health information. It also grants individuals rights over their health information, such as the right to access their medical records. The law applies to most healthcare providers, health plans, and healthcare clearinghouses, known as regulated entities, as well as their business associates.
In 2022 alone, OCR received 30,435 new complaints alleging violations of the HIPAA rules. Of these, the office resolved 32,250 complaints and initiated 846 compliance reviews. In the course of these investigations, OCR identified areas of noncompliance and enforced corrective actions or civil penalties in 80% of cases, underscoring the serious nature of these violations.
Monetary settlements from 17 complaint investigations totaled $802,500. One complaint investigation resulted in a civil money penalty of $100,000. Three compliance reviews led to resolution agreements and corrective action plans, resulting in additional monetary payments totaling $2,425,640.
These figures highlight the substantial challenges facing the healthcare sector in maintaining HIPAA compliance and protecting sensitive patient information. Despite the law’s clear requirements and the severe consequences of noncompliance, many regulated entities continue to fall short in their duties.
The second report to Congress focuses on breaches of unsecured protected health information (PHI) reported to the HHS Secretary in 2022. The findings underscore the continued need for regulated entities to improve compliance with HIPAA’s Security Rule requirements, which include risk analysis and management, information system activity review, audit controls, response and reporting, and person or entity authentication.
Hacking and IT incidents were the largest category of breaches, accounting for 77% of all reported breaches involving 500 or more individuals. Network servers were the most common location for these large-scale breaches, representing 58% of reported incidents.
These reports come on the heels of HHS’s recent efforts to bolster cybersecurity across the healthcare sector. In December 2023, the department released a comprehensive Cybersecurity strategy, and in January 2024, it issued voluntary cybersecurity performance goals.
Yet, as the latest OCR reports demonstrate, the healthcare sector still has a long way to go in protecting patient data and achieving full HIPAA compliance. The high number of complaints, investigations, and penalties is a stark reminder of the significant work that lies ahead.
The stakes are high. Data breaches can have serious repercussions for patients, from identity theft to medical fraud. For healthcare providers, the fallout can include heavy fines, reputational damage, and loss of patient trust.
These annual reports are an essential tool for regulated entities and their business associates, shedding light on the areas that need improvement and providing guidance for their HIPAA compliance efforts. As the healthcare sector continues to grapple with data security, the lessons gleaned from these reports will be critical in shaping future strategies to safeguard patient information.
OCR’s 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html
OCR’s 2022 Report to Congress on Breaches of Unsecured Protected Health Information may be found at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and Microsoft Start.